If the machine being sent the incorrect community is an AIX machine,
search in in /etc/snmpd.conf for the line:
logging size=0 level=0
Size means max logging size. 0 is unlimited. level can be 0,1,2, or 3,
each with more detailed logging. "3" will show you more than you ever
wanted to know, but will show the guy polling.
Most compliant SNMP agents also allow similar setting of the logging
levels, some with numbers, like AIX, some with MIN or MAX in an ini or
config file.
The devices, as implied in the append below, that typically do not
provide this capability are routers, switches, and other network
devices. However, if you have a settable SNMP agent on a machine in the
same subnet as the box getting blasted, turn its logging on and see if
you can see the offender.
Hope this helps.
Jim Kellock
"David E. Dimond" wrote:
>
> Tom,
>
> I spend a goodly portion of my day tracking these down. What you
> have here is someone hitting the device luminere.pts.umn.edu with
> an incorrect community string every nite at 12:30am. I don't know
> what sort of device this is, but it clearly has some type of SNMP
> agent capable of spitting out this trap. Unfortunately, the vendor
> - apparently IBM in this case - didn't bother encapsulating the
> vital piece of information that should accompany this trap. i.e.
> the source address of the device issuing the SNMP request with
> the wrong community string.
>
> You have two options: Convince the vendor that the bloody trap is
> useless without the source address and get them to give you proper
> code for their agent, or put a sniffer on the wire and capture the
> offending packet(s) - you already know when to start the capture...
>
> We've gone around and around with various vendors over this issue,
> and so far Cisco is the only one of the big players that seem to
> implement this. Most IOS-based Cisco kit running 12.whatever will
> give you the source address if the offender is spewing regular SNMP
> gets or '0.0.0.0' if the offender was IPX_SNMP. Note that this
> does not imply that Cisco is anywhere near having their act
> together regarding trap encapsulation... ;-)
>
> As to what could be causing this, it could be anything capable
> of performing SNMP autodiscovery. And there's LOTS of stuff out
> there now. Mostly I find it to be either a misconfigured management
> application, HP Jet-admin, or an old Microsoft IPX client looking
> for a default printer not on the local wire.
>
> Hope that helps, give me a call if you need further assistance -
> I see you're local...
>
> Oh, and the first field in the trapd.log, from the man page for
> trapd, is:
>
> "The time the event or trap was received in seconds since
> the epoch (00:00:00 GMT January 1, 1970)."
>
> Regards,
>
> Dave Dimond
> Network Systems Management
> Allina Health System
> Minneapolis, MN
> dimond@allina.com
> 612-775-1552
>
> Thomas Kunz wrote:
> >
> > Hello
> >
> > We have NetView 5.1.2, AIX 4.3.1 and Framework 3.6.1.
> > Every day at 12:30 A.M. we get the following error message in trapd.log.
> > How can I find out where it is coming from?
> > Also what do the numbers at the front of the message mean?
> >
> > 970032625 4 Wed Sep 27 00:30:25 2000 luminere.pts.umn.edu A IBM
> > Incorrect Community Name (authenticationFailure Trap)
> >
> > Thanks in advance.
> >
> > Thanks and have a great day! :-)
> > Tom Kunz
> > OIT/PTS Network & AIX Systems Support
> > University of Minnesota
> > 1300 S. 2nd St.
> > Mpls., MN. 55454-1083
> > Suite 660
> > Phone: 612-624-8086
> > Fax: 612-626-1332
> > Email: t-kunz@cafe.tc.umn.edu
> >
> > **************************************************************************
> > This e-mail and its attachments have been scanned for viruses.
> > NDIS/ADCS University of Minnesota
> > **************************************************************************
> > _________________________________________________________________________
> > NV-L List information and Archives: http://www.tkg.com/nv-l
|